- 1开启hive权限管理配置
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.createtable.user.grants</name>
<value>etl:ALL;hive:ALL</value>
</property>
<property>
<name>hive.security.authorization.createtable.group.grants </name>
<value>etl:ALL;hive:ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
- 2授权语法
- --创建和删除角色
- create role role_name;
- drop role role_name;
- --展示所有roles
- show roles
- --赋予角色权限
- grant select on database db_name to role role_name;
- grant select on [table] t_name to role role_name;
- --查看角色权限
- show grant role role_name on database db_name;
- show grant role role_name on [table] t_name;
- --角色赋予用户
- grant role role_name to user user_name
- --回收角色权限
- revoke select on database db_name from role role_name;
- revoke select on [table] t_name from role role_name;
- --查看某个用户所有角色
- show role grant user user_name;
- 操作(opera) 解释
- ALL 所有权限
- ALTER 允许修改元数据(modify metadata data of object)---表信息数据
- UPDATE 允许修改物理数据(modify physical data of object)---实际数据
- CREATE 允许进行Create操作
- DROP 允许进行DROP操作
- INDEX 允许建索引(目前还没有实现)
- LOCK 当出现并发的使用允许用户进行LOCK和UNLOCK操作
- SELECT 允许用户进行SELECT操作
- SHOW_DATABASE 允许用户查看可用的数据库
- 3.hive开启权限后可能会有异常
Could not create a hive database cloudera_manager_metastore_canary_test_db_hive_HIVEMETASTORE_6da700a6bd79816eb36878227cd598b9 MetaException
cloudera manager 有一个对Hive的健康检查叫 hive Metastore Canary Health Test
引用资料:
There is a known bug with the hive canary that may cause it to fail constantly - the client-configs we are using to connect to the hive metastore are partial. This may be the root cause of this failure. Do you have security enabled on the cluster? Did you change the Hadoop.rpc.protection configuration option? A fix is going to be available very soon with the next release of cloudera manager (5.1,5.2,5.3) and hopefully it will solve the problem. In the meantime you can disable the hive metastore canary.
禁用 hive metastore canary.
CM GUI --> Hive --> Configuration --> search for"metastore_canary_health_enabled" and uncheck(disabled). Save the setting and restart Hue,Oozie and Hive.
4.hive超级管理员权限管理
Hive中没有超级管理员,任何用户都可以进行Grant/Revoke操作,为了完善“超级管理员”,必须添加hive.semantic.analyzer.hook配置,并实现自己的权限控制类。
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.hive.HiveAdmin</value></property>
实现自定义类com.hive.HiveAdmin
package com.hive;
import java.io.Serializable;
import java.util.List;import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;public class HiveAdmin extends AbstractSemanticAnalyzerHook {
private static String admin = "admin";@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
String userName = null;
if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) {
userName = SessionState.get().getAuthenticator().getUserName();
}
if (!admin.equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can‘t use ADMIN options, except " + admin + ".");
}
break;
default:
break;
}
return ast;
}
}